Re: multiple isp. masqueraded machines somtimes work and sometimes not

Anuj Singh <anujhere <at> gmail.com>
2006-04-02 15:05:03 GMT

Hiii!After working on the problem I found that one of the dns entry was wrong (This is a remote network and basic configuratins were done by some other) ... after entering the proper nameserves I checked the performance and so far there is no problem with both the isp's working.

now about ip failover I tried this script: called switch.sh#vi switch.sh

I found that if i add my shorewall restart it again changes the default gateway to the 1st ISP defined in /etc/shorewall/providers file. which is unplugged ot not working ( it still works for a while .. probably due to ip route cache)
now to make it switching properly between the gateways I copied the whole /etc/shorewall directory to a different location say /shorewall2 with a change in providers file ...i.e. i defined just oppsite ISP's (changed 1st isp to 2 and 2nd ISP to 1)

and defined it in my script (showed above in the script with directory /shorewall2 )now it was switching the ISP's but i found it not working for local network...By default after a shorewall restart command it makes default gw= ISP1 in providers file.

In the last I made another change in the script is to make it to only chane the gateway and no shorewall restart. this time the internet was working on local network. Just checkd for few minutes after flushing the ip route cache.

On Mon, March 27, 2006 10:23, Anuj Singh wrote:> Yes both are connected to the same switch.

That's your answer. If the two interfaces are on different IP networks andyou do not use Proxy ARP, it will be sufficient to specify 'arp_ignore=1'
on both interfaces (/etc/shorewall/interfaces). They cannot be on the sameIP network and you cannot use Proxy ARP with that physical networktopology without using ebtables. You will probably have to restart your
firewall after making this change to get the upstream router(s) to get thecorrect ARP information.

>> About the ip failover

Other folks have posted similar scripts, although most run the script as a
daemon rather than scheduling it via cron.

Two ISP

Nick Mashchenko <mnvbox <at> gmail.com>
2006-04-02 17:43:52 GMT

Hello all.
First of all, please be a bit indulgent to my poor English .
Second, this message is "kinda" BIG, so if you don't like BIG
messages, simply don't read it .
I've read http://shorewall.net/2.0/Shorewall_and_Routing.html
and http://shorewall.net/MultiISP.html, however I still a bit confused how
to organize what I need .
I've a simple "layout" like a lot of people here have:
eth0
LAN (192.168.1.0/24) ------ Shorewall --- eth1 --- DSL --- SVR
|
+--- eth2 --- DSL ---
OGO
"Shorewall" box is a RH 7.3, Shorewall itself is version 2.4.7.
Preface .
1. SVR is very good, but expensive ISP. However, all kind of local
(Ukranian) traffic is free of charge.
2. OGO is not so good as SVR, but its cheap. However, it doesn't make
a difference between local and foreign traffic -- it charges any traffic.
3. There is an URL, where I can grab current version of local subnets list.
That list changes frequently, so we do grabbing every 15 mins.
4. I don't need any kind of load balancing!
What do I need?
1. For most LAN default route is OGO.
1.1. All local traffic should be routed to SVR.
1.2. Traffic from some IPs in the LAN (192.168.1.2, 3 and 4) should be
routed only over SVR (CIO, CEO and other "officers" .
2. If OGO is down, all traffic (not only local) from the LAN (including
"officer's" traffic) should go over SVR.
2.1. Otherwise, if SVR is down, all traffic including 192.168.1.2, 3 and
4's, should go over OGO.
2.2. Once we detects that OGO is up again, all traffic from LAN goes
over OGO again, local traffic goes over SVR, "officer's" traffic over SVR.
How do I plan to implement that and what questions I have?
1. Set default gw to OGO .
1.1. Grab the list of local subnets via bash script every 15 min and then
implement proper "route" command for every row in that list in order to
point local traffic over SVR.
1.2. Here is Q: is that possible to do with Shorewall itself? Or I need to
do that via "ip route" manually? Tom says: "As of this writing, I know of
no distribution that is shipping a kernel or iptables with the ROUTE target
patch included. This means that you must patch and build your own kernel
and iptables in order to be able to use the feature described in this
section.
This code remains experimental since there is no intent by the Netfilter
team to ever submit the ROUTE target patch for inclusion in the official
kernels from kernel.org. This support may also be removed from Shore-
wall in a future release." And this is my "shorewall show capabilities":
[root <at> k9-66 root]# shorewall show capabilities
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Not available
Policy Match: Not available
Physdev Match: Not available
IP range Match: Not available
Recent Match: Not available
Owner Match: Available
Ipset Match: Not available
ROUTE Target: Not available
^^^^^^^^^^^^ -- so /etc/shorewall/routes is not for me!
Extended MARK Target: Not available
CONNMARK Target: Not available
^^^^^^^^^^^^ -- so "track" option in the /etc/shorewall/providers
also not for me (w/o recompiling kernel/iptables).
Connmark Match: Not available
Raw Table: Not available
[root <at> k9-66 root]#
2, 2.1 and 2.2 I plan to implement via bash script (not a topic to
discuss here .
Finally, I think my /etc/shorewall should be like that:
- interfaces:
svr eth1 detect norfc1918,nobogons,routefilter,blacklist,tcpflags,
routeback,nosmurfs
ogo eth2 detect norfc1918,nobogons,routefilter,blacklist,tcpflags,
routeback,nosmurfs
loc eth0 detect tcpflags,nosmurfs
- masq:
eth1 eth0
eth2 eth0
Using the above masq file means that PBR for so called officers is organized
via "ip route" by the script and can be switched off by the script, if
needed.
- policy:
loc fw ACCEPT
loc svr ACCEPT
loc ogo ACCEPT
fw loc ACCEPT
fw svr ACCEPT
fw ogo ACCEPT
all all DROP
- providers:
SVR 1 1 main eth1 IP.OF.SVR.GW track (?) eth0
OGO 2 2 main eth2 IP.OF.OGO.GW track (?) eth0
- zones:
svr svr svr
ogo ogo ogo
loc loc loc
- rules:
AllowPing svr fw
AllowSSH svr fw
AllowFTP svr fw
AllowSMTP svr fw
AllowPing ogo fw
AllowSSH ogo fw
AllowFTP ogo fw
AllowSMTP ogo fw
So, the main Q is: if I use PBR via "ip route" command from the script,
will the above files do exactly what I want? I think, no . Any help is
appreciated. Thanks.
--
MNV-UANIC
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Two ISP

Nick Mashchenko escribió:
> [root <at> k9-66 root]# shorewall show capabilities
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Shorewall has detected the following iptables/netfilter capabilities:
> NAT: Available
> Packet Mangling: Available
> Multi-port Match: Available
> Extended Multi-port Match: Not available
> Connection Tracking Match: Not available
> Packet Type Match: Not available
> Policy Match: Not available
> Physdev Match: Not available
> IP range Match: Not available
> Recent Match: Not available
> Owner Match: Available
> Ipset Match: Not available
>
> ROUTE Target: Not available
> ^^^^^^^^^^^^ -- so /etc/shorewall/routes is not for me!
>
> Extended MARK Target: Not available
>
> CONNMARK Target: Not available
> ^^^^^^^^^^^^ -- so "track" option in the /etc/shorewall/providers
> also not for me (w/o recompiling kernel/iptables).
>
> Connmark Match: Not available
> Raw Table: Not available
> [root <at> k9-66 root]#
>
Please, do not expect Mutli ISP to work in RH 7.3 sorry, Tom deployed
Multi ISP support when he was using FC4 and SUSE 9.3 (READ 6 (!) distro
versions after RH 7.3)
We simple do not support that, sorry, it will take you significant
amount of work ( recompiling kernel, iptables, and other) and I kindly
reccommend you **DONT DO THAT**, it's not worth the hassle.
upgrade your distro, (FC% is out) and try again.

Help with Webmin Module

Henrique <henrique.ulbrich <at> gmail.com>
2006-04-02 22:02:50 GMT

Hello People
I'm new here, so forgive-me for any "newbie talk".
My client is running Debian Sarge (Stable), with Shorewall and Webmin. I want
to make things easier for them and tried to use the webmin-shorewall module.
The thing is - the installed shorewall is 3.0.5 (package from testing) but the
webmin module only understands (and builds) the old shorewall 2.x file
format. The webmin module is from testing too.
Is there anyplace where I can get a webmin module for shorewall that can
handle the 3.0 branch?
Thanks in advance
--
--
Henrique Cesar Ulbrich
henrique.ulbrich <at> gmail.com
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Help with Webmin Module

Henrique escribió:
> Hello People
>
> I'm new here, so forgive-me for any "newbie talk".
>
> My client is running Debian Sarge (Stable), with Shorewall and Webmin. I want
> to make things easier for them and tried to use the webmin-shorewall module.
>
> The thing is - the installed shorewall is 3.0.5 (package from testing) but the
> webmin module only understands (and builds) the old shorewall 2.x file
> format. The webmin module is from testing too.
>
> Is there anyplace where I can get a webmin module for shorewall that can
> handle the 3.0 branch?
>
> Thanks in advance
Henrique:
Nobody at shorewall.net is involved in webmin module development
(AFAIK), and yes, last time I saw it, it only understand shorewall 2.4.x
configurations.
I have no idea, if you can get a compatible module via webmin
update,usually webmin module is ages from current shorewall development,.
if your specific problem is the "zones" file, you can use
IPSECFILE=ipsec
in shorewall.conf and then you will be able to write the zone file in
the old format.

Re: Help with Webmin Module

Henrique <henrique.ulbrich <at> gmail.com>
2006-04-02 23:34:19 GMT

Historians believe that,
in April 2, 2006 19:29, Cristian Rodriguez wrote:
> Nobody at shorewall.net is involved in webmin module development
> (AFAIK), and yes, last time I saw it, it only understand shorewall 2.4.x
> configurations.
Thank you for answering, Christian.
Yes, I know the webmin module is not maintained by anyone at Shorewall.net.
> I have no idea, if you can get a compatible module via webmin
> update,usually webmin module is ages from current shorewall development,.
I was just asking if someone had a clue on what to do.
I thoght about the compat-mode you described:
> if your specific problem is the "zones" file, you can use
>
> IPSECFILE=ipsec
>
> in shorewall.conf and then you will be able to write the zone file in
> the old format.
Thanks for the tip. I was thinking about doing it (it's described in the
sample file), but before that I decided to ask.
I'll try to figure out who is maintaining it at webmin.com and work with
him/her to fix/update the thing. It's a useful tool, specially for dummies
(some people frown at having to edit text files...).
Thanks again for your kind answer.
--
--
Henrique Cesar Ulbrich
henrique.ulbrich <at> gmail.com
Chuck Norris uses Debian, Shorewall and Webmin
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Help with Webmin Module

Rune Kock <rune.kock <at> gmail.com>
2006-04-03 10:03:48 GMT

Hi Henrique
> My client is running Debian Sarge (Stable), with Shorewall and
> Webmin. I want to make things easier for them and tried to
> use the webmin-shorewall module.
Actually, I find using Webmin a lot more difficult than editing the
Shorewall configuration files. This is because the files themselves
have lots of useful comments -- in Webmin, there are no explanations
of what you are doing.
By the way, Webmin has been removed from Debian (Etch/unstable)
because the maintainer didn't feel the adaption to Debian was of a
reasonable quality. So I wouldn't put my money on the Debian/Webmin
combination.
Rune
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Blocking applications using shorewall

Asim Ahmed Khan <asimak77 <at> gmail.com>
2006-04-03 11:17:01 GMT

Hi all,

I have a little experience with windows based firewall .. Kerio Winroute. In that i was able to block applications using packet header contents instead of port they use since modern p2p apps change ports if they find one blocked. Is that possible in shorewall that i can:

1. Block all downloading attempts using file extensions. for example i can block all *.mp3 files from downloading.

2. Can i check packet header to check if it belongs to kaaza / msn messenger then block it ?